Thursday, 3 July 2014

Using Putty to login

We are being told everyday not to use simple passwords or to use the same password on multiple sites, which is good advice, however what is the best alternative?

If you use Putty to connect to your AIX or Linux systems you can create an OpenSSH key-pair using the PuttyGen application and then copy the key to your AIX host, which then enables you to login with requiring a password, however the disadvantages to this approach are:

  • There is no way to prevent a user from having a key without any pass-phrase, or to control the quality, content, or age, etc. Therefore if somebody has access to their PC they can login without a password, and/or steal the key.
  • If you are at home, or in another remote location where you don't have access to your private-key file, and you have turned-off password authentication, you are stuck. This also applies if you lose the key file.

One possible solution is to restrict root or your normal account(s) to SSH key-only authentication, and then set-up a restricted rescue-account that has as little functionality and privilege as possible except that it enables you to su/sudo.

Many hackers routinely scan port 22 for SSH services and then try to guess the root password so one possibility is to setup a dedicated service on port 443 as most firewalls allow HTTPS/SSL traffic, and hackers would not normally notice SSH on this port.

No comments:

Post a Comment